[Mimedefang] Re: how to undo Verisigns mess
Ron Johnson
Ron.Johnson at CCRS.NRCan.gc.ca
Tue Sep 16 12:22:33 EDT 2003
>
> From: Joseph Brennan <brennan at columbia.edu>
>
> > Since recently, all .net and .com domains started to resolve, pointing to
> > a verisign owned server that shows a customized webpage.
> > roaringpiguin.com. 900 IN A 64.94.110.11
>
>
> Arg! Aside from forgeries, if legit mail is sent with a typo'd
> domain, the only chance we have to tell the sender is to reject
> during the smtp transaction.
>
> And then of course there ARE the deliberate forgeries.
>
> Checking for MX would probably affect too much legit mail (for
> some value of 'too much').
>
> I guess we want to know when the hostname in $Sender resolves
> to 64.94.110.11 specifically. Or to 127.0.0.1 and the like.
> What's an efficient way to do it?
>
If you control your own nameserver the following will turn the trick:
--------------------------------------------------------------
BIND Blocking Configuration (Score:4, Informative)
by Anonymous Coward on Monday September 15, @11:09PM ( #6971408
<http://slashdot.org/comments.pl?sid=78637&cid=6971408>)
If you run a nameserver and want to return NXDOMAIN instead of Verisign's
IP, add this code to your named.conf if you are running BIND 9.2.2
zone "11.110.94.64.in-addr.arpa" { type master; allow-query { none;
}; };
If you are running a version below 9.2.2 create a generic zonefile with
contents such as
$TTL 288000 @ IN SOA localhost. root.localhost. 1 7200 3600 604800
600
and use this line in named.conf instead
zone "11.110.94.64.in-addr.arpa" { type master; file "generic.zone";
allow-query { none; }; };
--------------------------------------------------------------
(Note: Don't *create* the 11.110.94.64.in-addr.arpa. You'll get good old
NXDOMAIN)
More information about the MIMEDefang
mailing list